About 1.1 million fingerprint records were thought to have been swiped by the intruders, but the OPM said on Wednesday that figure should be 5.6 million. A good number of these prints will belong to government employees who have applied for security clearances.

The agency said it had found evidence of the latest theft when it was checking over records with the Department of Defense as part of the post-attack forensics. Why this took three months to spot has not been explained.

The OPM claims there is little cause for concern, as "the ability to misuse fingerprint data is limited," but that "this probability could change over time as technology evolves." This suggests the OPM's investigators don't go to hacking conferences, where the ability to create dummy fingerprints from printed records, or even photographs, is routinely demonstrated.

"An interagency working group with expertise in this area – including the FBI, DHS, DOD, and other members of the Intelligence Community – will review the potential ways adversaries could misuse fingerprint data now and in the future," the OPM said in a statement.

"This group will also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach."

The OPM should have added "eventually" to that statement. Earlier this month the agency admitted that some people who had had their information stolen have still not been informed or offered credit protection.

In the meantime, the OPM is asking Uncle Sam for an additional $21m in funding so that it can harden its systems to avoid this kind of hack in the future. ®